WAF not working for requests originating from CNAME domains

I run a website that requires a lot of domains. These domains are CNAME’d to a Cloudflare proxied subdomain for my API.

Unfortunately, during DDoS, the WAF for the API domain does not work for requests coming from these other domains that are CNAMEs of the API domain.

Is this intentional or is there a way to make this work?

Such a setup should not work in the first place, as Cloudflare will not accept requests for other hostnames, unless you have custom hostnames configured.

Are you using such a setup? What are the hostnames involved?

I’m unsure of what you mean. Just to clarify, these other domains are not orange clouds. They are direct CNAMEs to the API subdomain.

I am also using a reverse proxy on the API server to manage these domains.

If the API host is proxied, it won’t work.

But again, what are the hostnames involved?

Are you asking me to list the domains? I’m not sure if I feel comfortable revealing them publicly.

Is there some information I can give you instead, like an nslookup?

You can post them and then delete your posting, but without hostnames it is not possible to comment on your issue.

What you described is generally not possible, unless you have the mentioned setup.

Unless you are saying you have all these domains in the same account, in which case a CNAME record to another domain may still work, still, firewall rules will still be domain specific. In that case you’d need to set them up for each domain individually.

Yes the domains are in the same account.

It sucks the WAF has to be domain specific because it complicates things a lot. Thanks anyways.

You can check out IP access rules, as these can be configured for the account, however they certainly mostly focus on IP addresses.

I did see those, however I do need more granular control like ASN blocking, user agent blocking and URI detection.

I may just have to make my own WAF for my use case.

Or hopefully Cloudflare creates a global WAF.

ASN will work with IP access rules, however user agents are not supported.

You can also check out the API to automate such setups, though that will certainly be still domain specific.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.